1 {
2 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
3 .insns = {
4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6 BPF_MOV64_IMM(BPF_REG_0, 0),
7 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
9 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
10 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
11 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
12 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
13 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
14 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
15 BPF_MOV64_IMM(BPF_REG_2, 16),
16 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
17 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
18 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
19 BPF_MOV64_IMM(BPF_REG_4, 0),
20 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
21 BPF_MOV64_IMM(BPF_REG_3, 0),
22 BPF_EMIT_CALL(BPF_FUNC_probe_read),
23 BPF_MOV64_IMM(BPF_REG_0, 0),
24 BPF_EXIT_INSN(),
25 },
26 .result = ACCEPT,
27 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
28 },
29 {
30 "helper access to variable memory: stack, bitwise AND, zero included",
31 .insns = {
32 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
33 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
34 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
35 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
36 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
37 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
38 BPF_MOV64_IMM(BPF_REG_3, 0),
39 BPF_EMIT_CALL(BPF_FUNC_probe_read),
40 BPF_EXIT_INSN(),
41 },
42 .errstr = "invalid indirect read from stack off -64+0 size 64",
43 .result = REJECT,
44 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
45 },
46 {
47 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
48 .insns = {
49 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
50 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
52 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
53 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
54 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
55 BPF_MOV64_IMM(BPF_REG_4, 0),
56 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
57 BPF_MOV64_IMM(BPF_REG_3, 0),
58 BPF_EMIT_CALL(BPF_FUNC_probe_read),
59 BPF_MOV64_IMM(BPF_REG_0, 0),
60 BPF_EXIT_INSN(),
61 },
62 .errstr = "invalid stack type R1 off=-64 access_size=65",
63 .result = REJECT,
64 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
65 },
66 {
67 "helper access to variable memory: stack, JMP, correct bounds",
68 .insns = {
69 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
70 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
71 BPF_MOV64_IMM(BPF_REG_0, 0),
72 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
73 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
74 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
75 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
76 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
77 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
78 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
79 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
80 BPF_MOV64_IMM(BPF_REG_2, 16),
81 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
82 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
83 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
84 BPF_MOV64_IMM(BPF_REG_4, 0),
85 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
86 BPF_MOV64_IMM(BPF_REG_3, 0),
87 BPF_EMIT_CALL(BPF_FUNC_probe_read),
88 BPF_MOV64_IMM(BPF_REG_0, 0),
89 BPF_EXIT_INSN(),
90 },
91 .result = ACCEPT,
92 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
93 },
94 {
95 "helper access to variable memory: stack, JMP (signed), correct bounds",
96 .insns = {
97 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
98 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
99 BPF_MOV64_IMM(BPF_REG_0, 0),
100 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
101 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
103 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
104 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
105 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
108 BPF_MOV64_IMM(BPF_REG_2, 16),
109 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
111 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
112 BPF_MOV64_IMM(BPF_REG_4, 0),
113 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
114 BPF_MOV64_IMM(BPF_REG_3, 0),
115 BPF_EMIT_CALL(BPF_FUNC_probe_read),
116 BPF_MOV64_IMM(BPF_REG_0, 0),
117 BPF_EXIT_INSN(),
118 },
119 .result = ACCEPT,
120 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
121 },
122 {
123 "helper access to variable memory: stack, JMP, bounds + offset",
124 .insns = {
125 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
128 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
129 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
130 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
131 BPF_MOV64_IMM(BPF_REG_4, 0),
132 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
134 BPF_MOV64_IMM(BPF_REG_3, 0),
135 BPF_EMIT_CALL(BPF_FUNC_probe_read),
136 BPF_MOV64_IMM(BPF_REG_0, 0),
137 BPF_EXIT_INSN(),
138 },
139 .errstr = "invalid stack type R1 off=-64 access_size=65",
140 .result = REJECT,
141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
142 },
143 {
144 "helper access to variable memory: stack, JMP, wrong max",
145 .insns = {
146 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
149 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
150 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
151 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
152 BPF_MOV64_IMM(BPF_REG_4, 0),
153 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
154 BPF_MOV64_IMM(BPF_REG_3, 0),
155 BPF_EMIT_CALL(BPF_FUNC_probe_read),
156 BPF_MOV64_IMM(BPF_REG_0, 0),
157 BPF_EXIT_INSN(),
158 },
159 .errstr = "invalid stack type R1 off=-64 access_size=65",
160 .result = REJECT,
161 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
162 },
163 {
164 "helper access to variable memory: stack, JMP, no max check",
165 .insns = {
166 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
169 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
170 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
171 BPF_MOV64_IMM(BPF_REG_4, 0),
172 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
173 BPF_MOV64_IMM(BPF_REG_3, 0),
174 BPF_EMIT_CALL(BPF_FUNC_probe_read),
175 BPF_MOV64_IMM(BPF_REG_0, 0),
176 BPF_EXIT_INSN(),
177 },
178
179 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
180 .result = REJECT,
181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
182 },
183 {
184 "helper access to variable memory: stack, JMP, no min check",
185 .insns = {
186 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
190 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
191 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
192 BPF_MOV64_IMM(BPF_REG_3, 0),
193 BPF_EMIT_CALL(BPF_FUNC_probe_read),
194 BPF_MOV64_IMM(BPF_REG_0, 0),
195 BPF_EXIT_INSN(),
196 },
197 .errstr = "invalid indirect read from stack off -64+0 size 64",
198 .result = REJECT,
199 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
200 },
201 {
202 "helper access to variable memory: stack, JMP (signed), no min check",
203 .insns = {
204 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
207 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
208 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
209 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
210 BPF_MOV64_IMM(BPF_REG_3, 0),
211 BPF_EMIT_CALL(BPF_FUNC_probe_read),
212 BPF_MOV64_IMM(BPF_REG_0, 0),
213 BPF_EXIT_INSN(),
214 },
215 .errstr = "R2 min value is negative",
216 .result = REJECT,
217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
218 },
219 {
220 "helper access to variable memory: map, JMP, correct bounds",
221 .insns = {
222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
225 BPF_LD_MAP_FD(BPF_REG_1, 0),
226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
230 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
231 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
232 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val), 4),
233 BPF_MOV64_IMM(BPF_REG_4, 0),
234 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
235 BPF_MOV64_IMM(BPF_REG_3, 0),
236 BPF_EMIT_CALL(BPF_FUNC_probe_read),
237 BPF_MOV64_IMM(BPF_REG_0, 0),
238 BPF_EXIT_INSN(),
239 },
240 .fixup_map_hash_48b = { 3 },
241 .result = ACCEPT,
242 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
243 },
244 {
245 "helper access to variable memory: map, JMP, wrong max",
246 .insns = {
247 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
251 BPF_LD_MAP_FD(BPF_REG_1, 0),
252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
256 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
258 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) + 1, 4),
259 BPF_MOV64_IMM(BPF_REG_4, 0),
260 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
261 BPF_MOV64_IMM(BPF_REG_3, 0),
262 BPF_EMIT_CALL(BPF_FUNC_probe_read),
263 BPF_MOV64_IMM(BPF_REG_0, 0),
264 BPF_EXIT_INSN(),
265 },
266 .fixup_map_hash_48b = { 4 },
267 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
268 .result = REJECT,
269 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
270 },
271 {
272 "helper access to variable memory: map adjusted, JMP, correct bounds",
273 .insns = {
274 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
276 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
277 BPF_LD_MAP_FD(BPF_REG_1, 0),
278 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
282 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
284 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
285 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 20, 4),
286 BPF_MOV64_IMM(BPF_REG_4, 0),
287 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
288 BPF_MOV64_IMM(BPF_REG_3, 0),
289 BPF_EMIT_CALL(BPF_FUNC_probe_read),
290 BPF_MOV64_IMM(BPF_REG_0, 0),
291 BPF_EXIT_INSN(),
292 },
293 .fixup_map_hash_48b = { 3 },
294 .result = ACCEPT,
295 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
296 },
297 {
298 "helper access to variable memory: map adjusted, JMP, wrong max",
299 .insns = {
300 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
303 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
304 BPF_LD_MAP_FD(BPF_REG_1, 0),
305 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
310 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
311 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
312 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 19, 4),
313 BPF_MOV64_IMM(BPF_REG_4, 0),
314 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
315 BPF_MOV64_IMM(BPF_REG_3, 0),
316 BPF_EMIT_CALL(BPF_FUNC_probe_read),
317 BPF_MOV64_IMM(BPF_REG_0, 0),
318 BPF_EXIT_INSN(),
319 },
320 .fixup_map_hash_48b = { 4 },
321 .errstr = "R1 min value is outside of the array range",
322 .result = REJECT,
323 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
324 },
325 {
326 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
327 .insns = {
328 BPF_MOV64_IMM(BPF_REG_1, 0),
329 BPF_MOV64_IMM(BPF_REG_2, 0),
330 BPF_MOV64_IMM(BPF_REG_3, 0),
331 BPF_MOV64_IMM(BPF_REG_4, 0),
332 BPF_MOV64_IMM(BPF_REG_5, 0),
333 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
334 BPF_EXIT_INSN(),
335 },
336 .result = ACCEPT,
337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
338 },
339 {
340 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
341 .insns = {
342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
343 BPF_MOV64_IMM(BPF_REG_1, 0),
344 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
347 BPF_MOV64_IMM(BPF_REG_3, 0),
348 BPF_MOV64_IMM(BPF_REG_4, 0),
349 BPF_MOV64_IMM(BPF_REG_5, 0),
350 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
351 BPF_EXIT_INSN(),
352 },
353 .errstr = "R1 type=inv expected=fp",
354 .result = REJECT,
355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
356 },
357 {
358 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
359 .insns = {
360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
362 BPF_MOV64_IMM(BPF_REG_2, 0),
363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
364 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
365 BPF_MOV64_IMM(BPF_REG_3, 0),
366 BPF_MOV64_IMM(BPF_REG_4, 0),
367 BPF_MOV64_IMM(BPF_REG_5, 0),
368 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
369 BPF_EXIT_INSN(),
370 },
371 .result = ACCEPT,
372 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
373 },
374 {
375 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
376 .insns = {
377 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
380 BPF_LD_MAP_FD(BPF_REG_1, 0),
381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
384 BPF_MOV64_IMM(BPF_REG_2, 0),
385 BPF_MOV64_IMM(BPF_REG_3, 0),
386 BPF_MOV64_IMM(BPF_REG_4, 0),
387 BPF_MOV64_IMM(BPF_REG_5, 0),
388 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
389 BPF_EXIT_INSN(),
390 },
391 .fixup_map_hash_8b = { 3 },
392 .result = ACCEPT,
393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
394 },
395 {
396 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
397 .insns = {
398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
401 BPF_LD_MAP_FD(BPF_REG_1, 0),
402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
404 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
405 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
408 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
409 BPF_MOV64_IMM(BPF_REG_3, 0),
410 BPF_MOV64_IMM(BPF_REG_4, 0),
411 BPF_MOV64_IMM(BPF_REG_5, 0),
412 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
413 BPF_EXIT_INSN(),
414 },
415 .fixup_map_hash_8b = { 3 },
416 .result = ACCEPT,
417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
418 },
419 {
420 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
421 .insns = {
422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
425 BPF_LD_MAP_FD(BPF_REG_1, 0),
426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
429 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
430 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
431 BPF_MOV64_IMM(BPF_REG_3, 0),
432 BPF_MOV64_IMM(BPF_REG_4, 0),
433 BPF_MOV64_IMM(BPF_REG_5, 0),
434 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
435 BPF_EXIT_INSN(),
436 },
437 .fixup_map_hash_8b = { 3 },
438 .result = ACCEPT,
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
440 },
441 {
442 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
443 .insns = {
444 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
445 offsetof(struct __sk_buff, data)),
446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
447 offsetof(struct __sk_buff, data_end)),
448 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
450 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
452 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
453 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
454 BPF_MOV64_IMM(BPF_REG_3, 0),
455 BPF_MOV64_IMM(BPF_REG_4, 0),
456 BPF_MOV64_IMM(BPF_REG_5, 0),
457 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
458 BPF_EXIT_INSN(),
459 },
460 .result = ACCEPT,
461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
462 .retval = 0 ,
463 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
464 },
465 {
466 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
467 .insns = {
468 BPF_MOV64_IMM(BPF_REG_1, 0),
469 BPF_MOV64_IMM(BPF_REG_2, 0),
470 BPF_MOV64_IMM(BPF_REG_3, 0),
471 BPF_EMIT_CALL(BPF_FUNC_probe_read),
472 BPF_EXIT_INSN(),
473 },
474 .errstr = "R1 type=inv expected=fp",
475 .result = REJECT,
476 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
477 },
478 {
479 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
480 .insns = {
481 BPF_MOV64_IMM(BPF_REG_1, 0),
482 BPF_MOV64_IMM(BPF_REG_2, 1),
483 BPF_MOV64_IMM(BPF_REG_3, 0),
484 BPF_EMIT_CALL(BPF_FUNC_probe_read),
485 BPF_EXIT_INSN(),
486 },
487 .errstr = "R1 type=inv expected=fp",
488 .result = REJECT,
489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
490 },
491 {
492 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
493 .insns = {
494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
496 BPF_MOV64_IMM(BPF_REG_2, 0),
497 BPF_MOV64_IMM(BPF_REG_3, 0),
498 BPF_EMIT_CALL(BPF_FUNC_probe_read),
499 BPF_EXIT_INSN(),
500 },
501 .result = ACCEPT,
502 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
503 },
504 {
505 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
506 .insns = {
507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
510 BPF_LD_MAP_FD(BPF_REG_1, 0),
511 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
514 BPF_MOV64_IMM(BPF_REG_2, 0),
515 BPF_MOV64_IMM(BPF_REG_3, 0),
516 BPF_EMIT_CALL(BPF_FUNC_probe_read),
517 BPF_EXIT_INSN(),
518 },
519 .fixup_map_hash_8b = { 3 },
520 .result = ACCEPT,
521 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
522 },
523 {
524 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
525 .insns = {
526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
529 BPF_LD_MAP_FD(BPF_REG_1, 0),
530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
531 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
532 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
533 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
536 BPF_MOV64_IMM(BPF_REG_3, 0),
537 BPF_EMIT_CALL(BPF_FUNC_probe_read),
538 BPF_EXIT_INSN(),
539 },
540 .fixup_map_hash_8b = { 3 },
541 .result = ACCEPT,
542 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
543 },
544 {
545 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
546 .insns = {
547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
550 BPF_LD_MAP_FD(BPF_REG_1, 0),
551 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
553 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
554 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
555 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
556 BPF_MOV64_IMM(BPF_REG_3, 0),
557 BPF_EMIT_CALL(BPF_FUNC_probe_read),
558 BPF_EXIT_INSN(),
559 },
560 .fixup_map_hash_8b = { 3 },
561 .result = ACCEPT,
562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
563 },
564 {
565 "helper access to variable memory: 8 bytes leak",
566 .insns = {
567 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
570 BPF_MOV64_IMM(BPF_REG_0, 0),
571 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
572 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
573 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
574 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
578 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
579 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
580 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
582 BPF_MOV64_IMM(BPF_REG_3, 0),
583 BPF_EMIT_CALL(BPF_FUNC_probe_read),
584 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
585 BPF_EXIT_INSN(),
586 },
587 .errstr = "invalid indirect read from stack off -64+32 size 64",
588 .result = REJECT,
589 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
590 },
591 {
592 "helper access to variable memory: 8 bytes no leak (init memory)",
593 .insns = {
594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
595 BPF_MOV64_IMM(BPF_REG_0, 0),
596 BPF_MOV64_IMM(BPF_REG_0, 0),
597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
598 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
599 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
600 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
602 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
606 BPF_MOV64_IMM(BPF_REG_2, 0),
607 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
609 BPF_MOV64_IMM(BPF_REG_3, 0),
610 BPF_EMIT_CALL(BPF_FUNC_probe_read),
611 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
612 BPF_EXIT_INSN(),
613 },
614 .result = ACCEPT,
615 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
616 },